It would certainly also be great if I could use my Trezor to secure my Librem 15.

The good news is that you already can, I think. There is a U2F module for the Linux Pluggable Authentication System (PAM) used for logging in on many (all) distros.

And the bad news is that the “user experience” is not great. To set things up, you need to use various command line tools and edit configuration files. Some of those edits could lock you out, if you make mistakes.

But once set up, things run smoothly. When you have typed your password, you will get an extra prompt to activate the U2F token. Touch the device and you’re in. (Works for me on Gnome, I have no U2F experience with other desktop environments.)

That sounds great! I’m not afraid of the command line. My main distro on my Librem 15 now is Mint LMDE. I use the regular Mint Cinnamon on my desktop. Could you please post links and/or instructions on what to install, preferably from the default repositories.

One idea that came to mind for the next version of the Librem Key would be to update the design such that it could be plugged inline with a USB keyboard to enable features such as deterministic key generation, additional encryption of stored keys, translating typed passwords into hashes (with a special keystroke to activate, of course), etc… The beneficial use cases are many and it makes a great first step until we finally see a Librem southbridge fighting for our privacy

is this key part of the boot process? meaning, if you lose the key, are you out of luck?

The key only helps you verify boot, but Heads can continue without the key, you just get a warning since you aren’t verifying that the BIOS wasn’t tampered with. If you lose the key or don’t have it with you, you can always just hit Enter at boot time and boot the system without it.

pixel:

can a backup key be made?

For GPG keys, yes, at generation time you can backup to your local system or a thumb drive. In the future we intend on including a backup USB thumb drive people can use to store a backup of their GPG keys in a safe/safe deposit box/etc.

Currently Heads only supports enrolling a single Librem Key so for tamper-evident boot things are a bit trickier since the incrementing counter on the Librem Key you use would be different from the one on your backup. But again, you can skip this at boot so if you lose the Librem Key you can just enroll a new one going forward (and can use Heads’s TOTP verification from a phone if you want in the mean time).

pixel:

can this integrate with luks?

We are working with Debian upstream to change cryptsetup so that it can support GPG keys for decryption natively. Hopefully this will be settled soon.

pixel:

and/or can coreboot do luks so the whole disk can be encrypted without needing a plaintext part? im using qubes, but curious to know if any of this works with pureos too.

The Heads runtime has to fit in the 16Mb flash chip on the Librem laptops so there are some limitations to what we can include there. Encrypting /boot though, would complicate what Heads does when it scans all the files in /boot to make sure they aren’t tampered with. The idea here is for Heads to try to detect tampering before you type in any secrets (like decryption keys).